Sophos Firewall

Discussions LAN to LAN block

Sophos Firewall requires membership for participation - click to join

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAN to LAN block

Mike Lawson over 7 years ago

I am trying to setup a rule to block LAN to LAN traffic

Port 1(LAN): 172.16.16.16

Port 2: WAN DHCP

Port 3(LAN): 10.10.10.1

I am able to pink from 172.16.16.17 to 10.10.10.1

I have setup firewall rule LAN to LAN network 172.16.16.0 (source) 10.10.10.0 (destination) block however still able to ping

Have tried changing Port 3 to new Zone LAN3 but still able to ping. Any ideas?

This thread was automatically locked due to age.

Parents

rrosson over 7 years ago

Wonder if the device access is overriding your rule.
Cancel
Vote Up 0 Vote Down

Cancel
rfcat_vk over 7 years ago in reply to rrosson

What he hasn't said is where the rule is in the rule order list?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
Mike Lawson over 7 years ago in reply to rfcat_vk

I have tried putting the rule above and below LAN <> WAN and no difference in all cases able to ping 10.10.10.1 from 172.16.16.17
Cancel
Vote Up 0 Vote Down

Cancel
ShunzeLee over 7 years ago in reply to Mike Lawson

10.10.10.1 is XG's interface.

XG's interface belong Local zone, not LAN zone.

If you allow ping of LAN zone in device access, you will able to ping the XG's interface IP 10.10.10.1 from LAN.

But not allow to ping other IP in 10.10.10.0/24, since you block the LAN to LAN (10.10.10.0/24) in firewall rule.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

ShunzeLee over 7 years ago in reply to Mike Lawson

10.10.10.1 is XG's interface.

XG's interface belong Local zone, not LAN zone.

If you allow ping of LAN zone in device access, you will able to ping the XG's interface IP 10.10.10.1 from LAN.

But not allow to ping other IP in 10.10.10.0/24, since you block the LAN to LAN (10.10.10.0/24) in firewall rule.
Cancel
Vote Up 0 Vote Down

Cancel

Children

Mike Lawson over 7 years ago in reply to ShunzeLee

Thats was my next layer of thinking. If I put a device on the 10.10.10.0 address this should not be pingable.

Behind this I have a Ubquiti network which I have not connected (looking to disable NAT in next version). What I want to make sure is that users on a particular VLAN cannot access the Sophos interface or network associated with it which is why I am asking the question
Cancel
Vote Up 0 Vote Down

Cancel
ShunzeLee over 7 years ago in reply to Mike Lawson

You may set the Port3 to another zone.

So that you can control if the zone can access XG.
Cancel
Vote Up 0 Vote Down

Cancel
Mike Lawson over 7 years ago in reply to ShunzeLee

I can see more testing coming on
Cancel
Vote Up 0 Vote Down

Cancel
Mike Lawson over 7 years ago in reply to Mike Lawson

That worked I put a Pi on the 10. 10.10.0 network and the rule blocked it. Thanks
Cancel
Vote Up 0 Vote Down

Cancel